But in general:
Webserver = maldet (malware scanner), clamav (virusscanner), rhunter (rootkit scanner)
mailserver = clamav, rootkit scanner
dns = rootkit just because you can
db = rootkit, just because you can

If you configure your webservers to also send emails though php mail() (instead you should force your users to use smtp, IMHO) it might be good to go for some kind of firewall that prevents outgoing connections, sockets, and other bad stuff.

I also created a vpn network for the servers so that they can talk with each other without the issue of sending stuff in plain text.
Same for my backup server. all data goes through the vpn and is thus encrypted.

But in general:
Webserver = maldet (malware scanner), clamav (virusscanner), rhunter (rootkit scanner)
mailserver = clamav, rootkit scanner
dns = rootkit just because you can
db = rootkit, just because you can

If you configure your webservers to also send emails though php mail() (instead you should force your users to use smtp, IMHO) it might be good to go for some kind of firewall that prevents outgoing connections, sockets, and other bad stuff.

I also created a vpn network for the servers so that they can talk with each other without the issue of sending stuff in plain text.
Same for my backup server. all data goes through the vpn and is thus encrypted.